On the first page of the wizard, select the root of trust for encryption keys:

Cloudera Navigator Key Trustee Server

A file-based password-protected Java KeyStore

Cloudera strongly recommends using Cloudera Navigator Key Trustee Server as the root of trust for production environments. The file-based Java KeyStore root of trust is insufficient to
provide the security, scalability, and manageability required by most production systems. More specifically, the Java KeyStore KMS does not provide:

Scalability, so you are limited to only one KMS, which can result in bottlenecks

High Availability (HA)

Recoverability, so if you lose the node where the Java KeyStore is stored, then you can lose access to all the encrypted data

Ultimately, the Java KeyStore does not satisfy the stringent security requirements of most organizations for handling master encryption keys.

Choosing a root of trust displays a list of steps required to enable HDFS encryption using that root of trust. Each step can be completed independently. The Status column indicates whether the step has been completed, and the Notes column provides additional context for the step. If your Cloudera
Manager user account does not have sufficient privileges to complete a step, the Notes column indicates the required privileges.

Available steps contain links to wizards or documentation required to complete the step. If a step is unavailable due to insufficient privileges or a prerequisite step being incomplete,
no links are present and the Notes column indicates the reason the step is unavailable.

Continue to the section for your selected root of trust for further instructions:

Leave Enable High Availability checked to add two hosts to the cluster. Cloudera strongly recommends using high availability for Key Trustee Server.
Failure to enable high availability can result in complete data loss in the case of catastrophic failure of a standalone Key Trustee Server. Click Continue.

Search for new hosts to add to the cluster, or select the Currently Managed Hosts tab to add existing hosts to the cluster. After selecting the hosts,
click Continue.

Select the KEYTRUSTEE_SERVER parcel to install Key Trustee Server using parcels, or select None if you want to use packages. If you do not see a
parcel available, click More Options and add the repository URL to the Remote Parcel Repository URLs list. After selecting a parcel
or None, click Continue.

Select the KEYTRUSTEE_SERVER parcel to install Key Trustee Server, or select None if you need to install Key Trustee Server manually using packages.
If you do not see a parcel available, click More Options and add the repository URL to the Remote Parcel Repository URLs list.
After selecting a parcel, click Continue.

After the KEYTRUSTEE_SERVER parcel is successfully downloaded, distributed, unpacked, and activated, click Finish to complete this step and return to
the main page of the wizard.

Select the KEYTRUSTEE parcel to install Key Trustee KMS. If you do not see a parcel available, click More Options and add the repository URL to the
Remote Parcel Repository URLs list. After selecting a parcel, click Continue.

After the KEYTRUSTEE parcel is successfully downloaded, distributed, unpacked, and activated, click Finish to complete this step and return to the
main page of the wizard.

6. Add a Key Trustee Server Service

This step adds the Key Trustee Server service to Cloudera Manager. To complete this step:

Click Add a Key Trustee Server Service.

Click Continue.

On the Customize Role Assignments for Key Trustee Server page, select the hosts for the Active Key Trustee Server
and Passive Key Trustee Server roles. Make sure that the selected hosts are not used for other services (see Resource Planning for Data at Rest Encryption for more information), and click Continue.

The Entropy Considerations page provides commands to install the rng-tools package to increase available entropy for
cryptographic operations. For more information, see Entropy Requirements. After completing these commands, click Continue.

The Synchronize Active and Passive Key Trustee Server Private Keys page provides instructions for generating and copying the Active Key Trustee Server
private key to the Passive Key Trustee Server. Cloudera recommends following security best practices and transferring the private key using offline media, such as a removable USB drive. For
convenience (for example, in a development or testing environment where maximum security is not required), you can copy the private key over the network using the provided rsync command.

After you have synchronized the private keys, run the ktadmin init command on the Passive Key Trustee Server as described in the wizard. After the
initialization is complete, check the box to indicate you have synchronized the keys and click Continue in the wizard.

The Setup TLS for Key Trustee Server page provides instructions on replacing the auto-generated self-signed certificate with a production certificate
from a trusted Certificate Authority (CA). For more information, see Managing Key Trustee Server Certificates. Click
Continue to view and modify the default certificate settings.

On the Review Changes page, you can view and modify the following settings:

Database Storage Directory (db_root)

Default value: /var/lib/keytrustee/db

The directory on the local filesystem where the Key Trustee Server database is stored. Modify this value to store the database in a different directory.

The path to the Active Key Trustee Server TLS certificate private key. Accept the default setting to use the auto-generated private key. If you have a CA-signed certificate, change this
path to the CA-signed certificate private key file. This file must be in PEM format.

The path to the Active Key Trustee Server TLS certificate. Accept the default setting to use the auto-generated self-signed certificate. If you have a CA-signed certificate, change this
to the path to the CA-signed certificate. This file must be in PEM format.

The path to the file containing the CA certificate and any intermediate certificates (if any intermediate certificates exist, then they are required here) used to
sign the Active Key Trustee Server certificate. If you have a CA-signed certificate, set this value to the path to the CA certificate or certificate chain file. This file must be in PEM format.

The path to the Passive Key Trustee Server TLS certificate private key. Accept the default setting to use the auto-generated private key. If you have a CA-signed certificate, change this
path to the CA-signed certificate private key file. This file must be in PEM format.

The path to the Passive Key Trustee Server TLS certificate. Accept the default setting to use the auto-generated self-signed certificate. If you have a CA-signed certificate, change this
to the path to the CA-signed certificate. This file must be in PEM format.

The path to the file containing the CA certificate and any intermediate certificates (if any intermediate certificates exist, then they are required here) used to
sign the Passive Key Trustee Server certificate. If you have a CA-signed certificate, set this value to the path to the CA certificate or certificate chain file. This file must be in PEM format.

The password for the Passive Key Trustee Server private key file. Leave this blank if the file is not password-protected.

After reviewing the settings and making any changes, click Continue.

After all commands complete successfully, click Continue. If the Generate Key Trustee Server Keyring appears stuck,
make sure that the Key Trustee Server host has enough entropy. See Entropy Requirements for more information.

Click Finish to complete this step and return to the main page of the wizard.

7. Add a Key Trustee KMS Service

This step adds a Key Trustee KMS service to the cluster. The Key Trustee KMS service is required to enable HDFS encryption to use Key Trustee Server for cryptographic key management.
To complete this step:

Select cluster hosts for the Key Trustee KMS service. Cloudera recommends selecting at least two hosts for high availability. If you proceed with only one host, you can enable high
availability later. See Key Trustee KMS High Availability for more information.

The Entropy Considerations page provides commands to install the rng-tools package to increase available entropy for
cryptographic operations. For more information, see Entropy Requirements. After completing these commands, click Continue.

The Setup Organization and Auth Secret page generates the necessary commands to create an organization in Key Trustee Server. An organization is
required to be able to register the Key Trustee KMS with Key Trustee Server. See Managing Key Trustee Server Organizations for
more information.

Enter an organization name and click Generate Instruction. Run the displayed commands to generate an organization and obtain the auth_secret value for the organization. Enter the secret in the auth_secret field and click Continue.

The Setup Access Control List (ACL) page allows you to generate ACLs for the Key Trustee KMS or to provide your own ACLs. To generate the recommended
ACLs, enter the username and group responsible for managing cryptographic keys and click Generate ACLs. To specify your own ACLs, select the Use Your Own kms-acls.xml File option and enter the ACLs. For more information on the KMS Access Control List, see Configuring KMS Access Control Lists.

After generating or specifying the ACL, click Continue.

The Setup TLS for Key Trustee KMS page provides high-level instructions for configuring TLS communication between the Key Trustee KMS and the Key
Trustee Server, as well as between the EDH cluster and the Key Trustee KMS. See Configuring TLS/SSL for the KMS for more
information.

Click Continue.

The Review Changes page lists all of the settings configured in this step. Click the icon next to any setting for information about that setting. Review the settings and click Continue.

After the First Run commands have successfully completed, click Continue.

The Synchronize Private Keys and HDFS Dependency page provides instructions for copying the private key from one Key Management Server Proxy role to
all other roles.
Warning: It is very important that you perform this step. Failure to do so leaves Key Trustee KMS in a state where keys
are intermittently inaccessible, depending on which Key Trustee KMS host a client interacts with, because cryptographic key material encrypted by one Key Trustee KMS host cannot be decrypted by
another. If you are already running multiple Key Trustee KMS hosts with different private keys, immediately back up all Key
Trustee KMS hosts, and contact Cloudera Support for assistance correcting the issue.

To determine whether the Key Trustee KMS private keys are different, compare the MD5 hash of the private keys. On each Key Trustee KMS host, run the following command:

$ md5sum /var/lib/kms-keytrustee/keytrustee/.keytrustee/secring.gpg

If the outputs are different, contact Cloudera Support for assistance. Do not attempt to synchronize existing keys. If you overwrite the private key and do not have a backup, any keys
encrypted by that private key are permanently inaccessible, and any data encrypted by those keys is permanently irretrievable. If you are configuring Key Trustee KMS high availability for the first
time, continue synchronizing the private keys.

Cloudera recommends following security best practices and transferring the private key using offline media, such as a removable USB drive. For convenience (for example, in a development
or testing environment where maximum security is not required), you can copy the private key over the network using the provided rsync command.

After you have synchronized the private keys, check the box to indicate you have done so and click Continue.

After the Key Trustee KMS service starts, click Finish to complete this step and return to the main page of the wizard.

9. Validate Data Encryption

This step launches a tutorial with instructions on creating an encryption zone and putting data into it to verify that HDFS encryption is enabled and working.

Enabling HDFS Encryption Using a Java KeyStore

Note: Cloudera strongly recommends using Cloudera Navigator Key Trustee Server as the root of trust for production environments. The file-based
Java KeyStore root of trust is insufficient to provide the security, scalability, and manageability required by most production systems.

After selecting A file-based password-protected Java KeyStore as the root of trust, the following steps are displayed:

The Setup TLS for Java KeyStore KMS page provides high-level instructions for configuring TLS communication between the EDH cluster and the Java
KeyStore KMS. See Configuring TLS/SSL for the KMS for more information.

Click Continue.

The Review Changes page lists the Java KeyStore settings. Click the icon next to any setting for information about that setting. Enter the location and password for the Java KeyStore and click Continue.

Click Continue to automatically configure the HDFS service to depend on the Java KeyStore KMS service.

Click Finish to complete this step and return to the main page of the wizard.

If this documentation includes code, including but not limited to, code examples, Cloudera makes this available to you under the terms of the Apache License, Version 2.0, including any required
notices. A copy of the Apache License Version 2.0 can be found here.